We don’t have the release manager’s public key (6372C20A)
in our local system. In order to proceed with the verification we need
to retrieve the release manager’s public key from a key server. One such
server is pgp.uni-mainz.de. The public key servers
are linked together, so you should be able to connect to any key server.

Now we have received a public key for an entity known as “Sebastian
Bergmann <sb@sebastian-bergmann.de>”. However, we have no way of
verifying this key was created by the person known as Sebastian
Bergmann. But, let’s try to verify the release signature again.

At this point, the signature is good, but we don’t trust this key. A
good signature means that the file has not been tampered. However, due
to the nature of public key cryptography, you need to additionally
verify that key 6372C20A was created by the real
Sebastian Bergmann.

Any attacker can create a public key and upload it to the public key
servers. They can then create a malicious release signed by this fake
key. Then, if you tried to verify the signature of this corrupt release,
it would succeed because the key was not the “real” key. Therefore, you
need to validate the authenticity of this key. Validating the
authenticity of a public key, however, is outside the scope of this
documentation.

Manually verifying the authenticity and integrity of a PHPUnit PHAR using
GPG is tedious. This is why PHIVE, the PHAR Installation and Verification
Environment, was created. You can learn about PHIVE on its website

Composer

Simply add a (development-time) dependency on
phpunit/phpunit to your project’s
composer.json file if you use Composer to manage the
dependencies of your project:

composer require --dev phpunit/phpunit ^master

Global Installation

Please note that it is not recommended to install PHPUnit globally, as /usr/bin/phpunit or
/usr/local/bin/phpunit, for instance.

Instead, PHPUnit should be managed as a project-local dependency.

Either put the PHAR of the specific PHPUnit version you need in your project’s
tools directory (which should be managed by PHIVE) or depend on the specific PHPUnit version
you need in your project’s composer.json if you use Composer.